Cotton&Sweets Spółka z ograniczoną odpowiedzialnością, a limited liability company, with seat at Sienna Street 17E/1 in Grodzisk Mazowiecki (05-825), entered into the Business Activity Central Register and Information Record maintained by the Minister of Development, NIP (Taxpayer Identification Number): 5291808984, is the owner of the Online Shop and, at the same time, the data administrator.
The personal data collected by Cotton&SweetsSpółka z ograniczoną odpowiedzialnością via the Online Shop is processed in accordance with the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), also referred to as the “GDPR”.
Cotton&Sweets Spółka z ograniczoną odpowiedzialnością makes every effort to respect the privacy of the customers who visit the Online Shop.
§ 1 Type of data processed, purposes and legal basis
Cotton&Sweets Spółka z ograniczoną odpowiedzialnością collects information on natural persons conducting legal transactions that are not directly related to their business, natural persons conducting business or professional activity on their own behalf and natural persons representing legal persons or organizational units that are not legal entities to whom the act grants legal capacity and who conduct business or professional activity on their own behalf, hereinafter jointly referred to as the “Customers”.
The Customers’ personal data is collected when:
an account is registered in the Online Shop to create and manage an individual account. Legal basis: indispensability for the performance of the contract for the provision of the Account service (Art. 6, para. 1, letter b of the GDPR);
an order is placed with the Online Shop, in order to perform a sale contract. Legal basis: indispensability for the performance of the sale contract (Art. 6, para. 1, letter b of the GPDR);
When registering his/her account in the Online Shop, the Customer provides the following data:
postal code and town;
street with house/flat number.
name and surname;
When registering his/her account in the Online Shop, the Customer on his/her own sets an individual password to access his/her account. The Customer can change the password at a later time, on such terms as described in para. 5.
When placing an order with the Online Shop, the Customer provides the following data:
postal code and town;
street with house/flat number.
name and surname;
For entrepreneurs, the above scope of data is additionally extended by:
the entrepreneur’s company name;
When using the Online Shop Website, additional information may be downloaded, in particular: the IP address assigned to the Customer's computer or the external IP address of the Internet provider, domain name, browser type, access time, type of operating system.
Navigation data may also be collected from the Customers, including information on links the Customers decide to click on or on other activities undertaken in our Online Shop. Legal basis: a legitimate interest (Art. 6, para. 1, letter f of the GDPR), consisting in facilitating the use of services provided by electronic means and improving the functionality of these services.
In order to determine, pursue and enforce claims, certain personal data provided by the Customer, such as: name, surname, data on the use of services, may be processed as part of the use of the Online Shop functionality, if such claims result from the manner in which the Customer uses the services, and other data necessary to prove the existence of the claim, including the extent of the damage suffered. Legal basis: a legitimate interest (Art. 6, para. 1, letter f of the GDPR), consisting in determining, pursuing and enforcing claims and defending against claims in proceedings before courts and other state authorities.
The transfer of personal data to Cotton&Sweets Spółka z ograniczoną odpowiedzialnością, in connection with sale contracts concluded or services provided via the Online Shop Website is voluntary, however the failure to give the data as specified in the forms in the Registration process prevents the registration and establishment of the Customer Account, and if the Customer attempts to place an order without registering the Customer Account, the order will be prevented from being placed and executed.
§ 2 Who is data shared with or entrusted to and how long is data stored?
The Customer's personal data is provided to service providers used by Cotton&Sweets Spółka z ograniczoną odpowiedzialnością when running the Online Shop. Depending on contractual arrangements and circumstances, the service providers to whom personal data is transferred, are either instructed by Cotton&Sweets Spółka z ograniczoną odpowiedzialnością as to the purposes and methods of the data processing (processors) or they independently define the purposes and means of data processing (administrators).
Processors. Cotton&Sweets Spółka z ograniczoną odpowiedzialnością uses suppliers who process personal data only at the request of Cotton&Sweets Spółka z ograniczoną odpowiedzialnością. They, among others, include providers of hosting services, accounting services, marketing systems, systems for analysing traffic in the Online Shop, systems for analysing the effectiveness of marketing campaigns;
Administrators. Cotton&Sweets Spółka z ograniczoną odpowiedzialnością uses suppliers who do not act solely under instructions and set on their own the goals and methods of using the Customers’ personal data. They provide electronic payment and banking services.
Location. The service providers are based mainly in Poland and other countries of the European Economic Area (EEA).
The Customers' personal data is stored:
If data processing is based on consent then the Customer’s personal data is processed by Cotton&Sweets Spółka z ograniczoną odpowiedzialnościąuntil such consent is withdrawn, and after withdrawing the consent, for a period corresponding to the period of limitation of claims that Cotton&Sweets Spółka z ograniczoną odpowiedzialnością may raise and claims that may be raised against the Customer. Unless a specific regulation provides otherwise, the period of limitation is ten years, and for claims for periodic performances and claims related to conducting business activity - three years.
If data processing is based on contract performance then the Customer’s personal data is processed by Cotton&Sweets Spółka z ograniczoną odpowiedzialnością as long as it is necessary to perform the contract, and after that time for a period corresponding to the period of limitation of claims.Unless a specific regulation provides otherwise, the period of limitation is ten years, and for claims for periodic performances and claims related to conducting business activity - three years.
If the Customer makes purchases in the Online Shop, the Customer’s personal data may, depending on the Customer’s choice, be transferred to the following entities, in order to deliver the goods ordered:
When the Customer selects a payment through the PayPal, his/her personal data is transferred to the extent necessary for such payment.
The navigation data can be used to provide the Customers with better service, analyse statistical data and adapt the Online Shop to the Customer preferences, as well as to administer the Online Shop.
If the Customer subscribes to our Newsletter, Cotton&Sweets Spółka z ograniczoną odpowiedzialnością will send, to the Customer e-mail address, e-mails containing commercial information on promotions and new products available in the Online Shop.
At the request of authorized state authorities, in particular the organisational units of the Public Prosecutor’s Office, Police, President of the Office for Personal Data Protection, President of the Office ofCompetitionand ConsumerProtection or President of the Office of Electronic Communications, personal data is made available by Cotton&Sweets Spółka z ograniczoną odpowiedzialnością to such authorities.
§ 3 Cookies, IP address
The Online Shop uses small files called cookies. They are saved by Cotton&Sweets Spółka z ograniczoną odpowiedzialnością on the device of the person visiting the Online Shop, if the web browser allows it. A cookie usually contains the domain name from which it comes, its "expiration time" and an individual, randomly selected number identifying this file. Information collected using these types of files help customize products offered by Cotton&Sweets Spółka z ograniczoną odpowiedzialnością to meet individual preferences and real needs of the Online Shop visitors. They also enable us to develop general statistics of visits to the products offered in the Online Shop.
Cotton&Sweets Spółka z ograniczoną odpowiedzialnością uses two types of cookies:
Session cookies: after the browser session is finished or the computer is switched off, the saved information is removed from the device's memory. The mechanism of session cookies does not allow any personal data or any confidential information to be downloaded from the Customer computers.
Persistent cookies: they are stored in the memory of the Customer's end device and remain there until they are deleted or expire. The mechanism of persistent cookies does not allow any personal data or any confidential information to be downloaded from the Customer computers.
Cotton&Sweets Spółka z ograniczoną odpowiedzialnością uses own cookies for:
the Customer authentication in the Online Shop and running the Customer's session in the Online Shop (after logging in), thereby the Customer does not have to enter again his/her login and password on each subpage of the Online Shop;
Analyses, research and audience audits, and in particular for creating anonymous statistics that help to understand how customers use the Online Shop Website, which allows us to improve its structure and content.
Cotton&Sweets Spółka ograniczoną odpowiedzialnością uses external cookies for:
the popularization of the Online Shop using the facebook.com, a social networking service (administrator of external cookies: Facebook Inc. based in the USA or Facebook Ireland based in Ireland).
The mechanism of cookies is safe for the Online Shop Customers. In particular, it is not possible to get viruses, unwanted or malicious software onto the Customers’ computers this way. However, in their browsers, the Customers have the option of limiting or disabling access of cookies to computers. If you use this option, the use of the Online Shop will be possible, except for the functions which, by their nature, require cookies.
Internet Explorer web browser;
Microsoft EDGE web browser;
Mozilla Firefox web browser;
Chrome web browser;
Safari web browser;
Opera web browser.
Cotton&Sweets Spółka z ograniczoną odpowiedzialnością may collect the IP addresses of the Customers. An IP address is a number, which is assigned by the ISP to the computer of the Online Shop visitor. The IP number enables access to the Internet. In most cases, it is assigned dynamically to the computer, i.e. it changes every time you connect to the Internet and therefore, it is commonly regarded as non-personal identifying information. The IP address is used byCotton&Sweets Spółka z ograniczoną odpowiedzialnością, when diagnosing technical problems with the server and creating statistical analyses (e.g. determining in which regions the greatest numbers of visits are reported), as information useful in administering and improving the Online Shop, as well as for security purposes and possible identification of server-burdening undesired automatic programs for browsing the Online Shop contents.
The Online Shop Website contains links to other websites.Cotton&Sweets Spółka z ograniczoną odpowiedzialnością is not responsible for their privacy protectionrules.
§ 4 Rights of persons to whom data concerns
Right to withdraw the consent- legal basis: Art. 7, para. 3 of the GPDR.
The Customer has the right to withdraw any consent granted byhim/her to Cotton&Sweets Spółka z ograniczoną odpowiedzialnością.
The consent withdrawal takes effect since the moment of withdrawal of the consent.
The consent withdrawal does not affect the data processing performed byCotton&Sweets Spółka z ograniczoną odpowiedzialnościąin accordance with the law being in effect before such withdrawal.
As a result of the consent withdrawal, no adverse consequences are suffered by the Customer, but it may prevent further use of services or functionalities which, according to the law, may be provided byCotton&Sweets Spółka z ograniczoną odpowiedzialnością, only with the consent.
Right to object to data processing - legal basis: Art. 21 of the GPDR.
The Customer has the right to object at any time - for reasons related to his/her particular situation - to the processing of his/her personal data, including profiling, if Cotton&Sweets Spółka z ograniczoną odpowiedzialnością processes his/her data based on a legitimate interest, such as marketing of products and services offered byCotton&Sweets Spółka z ograniczoną odpowiedzialnością, keeping statistics on the use of individual functionalities of the Online Shop and facilitating the use of the Online Shop, as well as customer satisfaction surveys.
By opting out, in the form of an e-mail, of receiving marketing messages regarding products or services, the Customer voices an objection to the processing of his/her personal data, including profiling for such purposes.
If the Customer's objection proves to be grounded andCotton&Sweets Spółka z ograniczoną odpowiedzialnością has no other legal basis for the processing of personal data, the Customer's personal data, to which the Customer has lodged the objection, will be deleted.
Right to delete data (the “right to be forgotten”) - legal basis: Art. 17 of the GPDR.
The Customer has the right to demand the removal of all or some personal data.
The Customer has the right to demand the deletion of personal data if:
personal data is no longer necessary for the purposes for which it was collected or processed;
he/she withdrew his/her specific consent to the extent to which personal data was processed based on his/her consent;
he/she objected to the use of his/her data for marketing purposes;
personal data is processed unlawfully;
personal data needs to be removed, in order to fulfil a legal obligation provided for by the EU law or Member State law to whichCotton&Sweets Spółka z ograniczoną odpowiedzialnością is subject;
personal data has been collected in connection with the offering of information society services.
Despite the request to delete personal data, in connection with the submission of an objection or withdrawal of a consent, Cotton&Sweets Spółka z ograniczoną odpowiedzialnością may retain some personal data to the extent that data processing is necessary to determine, pursue or defend claims, as well as to meet a legal obligation requiring data processing under the EU law or Member State law to whichCotton&Sweets Spółka z ograniczoną odpowiedzialnościąis subject. In particular, this applies to personal data including: name, surname, e-mail address, which data is retained for the purpose of handling complaints and claims related to the use of the services of Cotton&Sweets Spółka z ograniczoną odpowiedzialnością, or additionally, data on residence address/ mailing address, order number, which data is retained for the purpose of handling complaints and claims related to concluded sales contracts or provided services.
Right to limit data processing - legal basis: Art. 18 of the GPDR.
The Customer has the right to demand the restriction of the processing of his/her personal data. Making such a demand, pending its consideration, prevents the use of certain functionalities or services, the use of which will involve the processing of data covered by the demand.Cotton&Sweets Spółka z ograniczoną odpowiedzialnościąwill not send any messages, including marketing messages.
The Customer has the right to demand the restriction of the use of his/her personal data in the following cases:
when he/she challenges the correctness of his/her personal data– then Cotton&Sweets Spółka z ograniczoną odpowiedzialnością limits the use of such data for the time needed to check its correctness, however no longer than for 7 days;
when data processing is unlawful, and instead of data deletion, the Customer will demand to limit the use of data;
where personal data is no longer necessary for the purposes for which it was collected or used, but is needed by the Customer to determine, pursue or defend claims;
when the Customer objected to the use of his/her data - then the restriction is valid for the time needed to consider whether - due to the special situation - the protection of the Customer's interests, rights and freedoms outweighs the interests that the Administrator looks after while processing the Customer's personal data.
Right of access to data - legal basis: Art. 15 of the GPDR.
The Customer has the right to obtain the confirmation from the Administrator whether it processes the Customer’s personal data, and if so, the Customer has the right to:
get access to his/her personal data;
obtain information on the purposes of data processing, categories of personal data being processed, on recipients or categories of recipients of such data, on the planned period of the Customer’s data storage or criteria for determining such period (when it is not possible to determine the planned data processing period), the Customer’s rights under the GDPR and on the right to lodge a complaint with the supervisory body, on the source of data, on automated decision-making process, including profiling and on safeguards applied in connection with the data transfer outside the European Union;
obtain a copy of his/her personal data.
Right to data rectification - legal basis: Art. 16 of the GPDR.
Right to data transfer - legal basis: Art. 20 of the GPDR.
The Customer has the right to receive his/her personal data, which he/she provided to the Administrator, and then send them to another personal data administrator of his/her choice. The Customer has also the right to demand that the Administrator send personal data directly to such an administrator, if it is technically feasible. In this case, the Administrator will send the Customer's personal data in the form of a file in csv format, which is a commonly used, machine-readable format and allows the received data to be sent to another personal data administrator.
If the Customer exercises any right arising out of the above rights thenCotton&Sweets Spółka z ograniczoną odpowiedzialnością either fulfils the demand or refuses to fulfil it promptly but no later than within a month after receiving it. However, if - due to the complicated nature of the demand or a number of demands -Cotton&Sweets Spółka z ograniczoną odpowiedzialnością is not able to fulfil the demand within a month, it will fulfil them within successive two months by informing the Customer about the intended extension of the above time limit and reasons therefor within one month of receiving the demand(s).
The Customer may submit, to the Administrator, complaints, inquiries and requests regarding the processing of the Customer’s personal data and the exercise of the Customer’s rights.
The Customer has the right to lodge a complaint with the President of the Office for Personal Data Protection regarding the violation of the Customer’s rights to personal data protection or other rights granted under the GDPR.
§ 5 Security management - password
Cotton&Sweets Spółka z ograniczoną odpowiedzialnością provides the Customers with a secure and encrypted connection when sending personal data and when logging in to the Customer Account at the Website.Cotton&Sweets Spółka z ograniczoną odpowiedzialnością uses an SSL certificate issued by one of the world's leading companies in the field of security and encryption of data transmitted via the Internet.
In the event that the Customer, who has an account in the Online Shop, has lost his/her access password in any way, the Online Shop allows a new password to be generated.Cotton&Sweets Spółka z ograniczoną odpowiedzialnością does not send a password reminder. The password is stored in a database, in an encrypted form in a way that prevents its reading. In order to generate a new password, please enter your e-mail address in the form available under the link "Forgot your password" located next to the login form for the Online Shop account. The new password will automatically be sent to the e-mail address given during the registration or saved in the last change of the account profile.
Cotton&Sweets Spółka z ograniczoną odpowiedzialnością never sends any correspondence, including electronic correspondence, with a request to provide login data, in particular the access password to the Customer's account.
Last updated: 25/05/2018